In 1965, one of the most influential bands of our times was formed.. Pink
Floyd. This boot2root box has been created to celebrate 50 years of Pink
Floyd’s contribution to the music industry, with each challenge giving the
attacker an introduction to each member of the Floyd.
WireShark was used to expose an ARP broadcast for TCP: 1337, a netcat listener was setup on port 1337.
The target machine connected with the following message:
Port Scanning
After the machine successfully connected to the netcat listener the following
services were discovered with Nmap.
Service Enumeration
Port
Service
Version Detection
TCP: 80
HTTP
OpenBSD httpd
TCP: 1965
SSH
OpenSSH 7.0 (protocol 2.0)
HTTP Enumeration
Interrogation of the page source revealed a code comment with an ASCII encoded string:
Decoding revealed the MD5 hash:steg=33115730dbbb370fcbe9720fe632ec05
Hash Cracking
MD5 Hashcat
The discovered hash was cracked with Hashcat:
Hash
Password
33115730dbbb370fcbe9720fe632ec05
pinkfloydrocks
Steghide
Install steghide on kali: apt-get install -y steghide
The steghide command steghide extract -sf pink_floyd.jpg was used to extract data from images with hidden
information retained within them (steganography). Entering the previously
cracked password divisionbell disclosed another message containing
a base64 encoded string and another md5 hash.
Username
Password
SydBarrett
divisionbell
SFTP Login
The discovered account credentials above allowed access to an SFTP server on
the target machine.
The file eclipsed_by_the_moon was downloaded for further
investigation.
Fatcat FAT16 Forensics Tool
The file command was leveraged to disclose the following information about the
previously retrived file ecslipsed_by_the_moon.
Research discovered Fatcat a forensics tool used for
recovering / extracting data from FAT16 images.
The following command was used to extract a deleted image file from the FAT16
disk image:
Viewing the image disclosed the users password:
SSH Shell
A non privileged SSH shell was established using the previously discovered
credentials.
Username format
The uppercase characters in the username were guessed from the previous username pattern.
Username
Password
RogerWaters
hello_is_there_anybody_in_there
Local System Enumeration
Account: RogerWaters
Enumeration of the system discovered the SUID binary: /usr/local/bin/brick
Running the suid binary and answering the question correctly with Nick Mason change the current user to “NickMason”.
Account: NickMason
Local enumeration of nick_mason_profile_pic.jpg discovered the file was an .ogg audio file containing morsecode data.
Extracting Morse Code Data
The ogg file contained morse code data with music playing at the same time over
both stereo channels.
Audacity was used with a low high pass filter to help remove as much of the
lower frequency music as possible, making the higher frequency morse code tones
easier to hear.
Sonic Visualiser was used in addition to help visualise the morse code dots and
dashes.
Morse Code Decoded
Morse Code
Character
.-.
R
..
I
-.-.
C
....
H
.-
A
.-.
R
-..
D
.--
W
.-.
R
..
I
--.
G
....
H
-
T
.----
1
----.
9
....-
4
...--
3
..-.
F
.-
A
.-.
R
..-.
F
..
I
...
S
.-
A
Discovered Credentials
Username
Password
RichardWright
1943farfisa
Account: RichardWright
su - RichardWright was possible using the above credentials.
Local enumeration discovered the SUID binary
/usr/local/bin/shineon, running the binary through
strings discovered it called the program mail without
specifying the absolute path.
Strings output:
PATH Manipulation
The following file was created:
Changed directory to /tmp and PATH set to .
Execution of option 4 executed the mail script successfully.
Account: DavidGilmour
With euid set, enumeration of DavidGimours home dir was possible.
Running strings on david_gilmour_profile.jpg revealed the users
password.
URL also disclosed via Apache config
The web app URL was also disclosed at /etc/httpd.conf.orig
Viewing anotherbrick.txt revealed the following:
Web Application Enumeration
Enumeration of the above web application exposed a code comment riddle:
The area of the image near the dog revealed some text strings. Using
Image Magik the brightness was increased to dislcose the strings
/welcometothemachine and
50696e6b466c6f796435305965617273
Root Shell
Searching for the string welcomethemachine discovered the
following binary /var/www/htdocs/welcometothemachine/PinkFloyd.